On the Effectiveness of Probabilistic Packet Marking for IP Traceback under Denial of Service Attack INFOCOM Twentieth Annual Joint Conference of the IEEE Computer and Communications Societies. Proceedings. IEEE Presented by FanChiang C.W. Advisor: Prof. Frank Y.S. Lin

2015/5/17OPLab, NTUIM 2 Agenda Abstract Introduction Probabilistic Packet Marking and Traceback DoS traceback minimax problem DDoS traceback problem Dynamic PPM scheme

2015/5/17OPLab, NTUIM 3 Abstract The optimal decision problem - the victim can choose the marking probability whereas the attacker can choose the spoofed marking value, source address, and attack volume - can be expressed as a constrained minimax optimization problem, where the victim chooses the marking probability such that the number of forgeable attack paths is minimized.

2015/5/17OPLab, NTUIM 4 Introduction Two contributions First, it shows the trade-off relation between victim and attacker, which is a function of marking probability, path length, and traffic volume. Second, for a given attack volume, by mounting DDoS attack, the uncertainty factor might be amplified.

Probabilistic Packet Marking and Traceback 2015/5/17OPLab, NTUIM 5

2015/5/17OPLab, NTUIM 6 Probabilistic Packet Marking and Traceback Given network is as a directed graph G = (V,E), where V is the set of nodes and E is the set of edges. The edges denote physical links between elements in V. Let S ⊂ V denote the set of attackers and let t ∋ V \ S denote the victim. |S| = 1 (DoS)

Probabilistic Packet Marking and Traceback (con’t) We assume that routes are fixed 1, And Attack path A is presented as 1. On the IP Internet, the majority of TCP sessions do not experience route changes during their connection lifetime. Generalization of PPM under dynamic routing (the routing process must be specified) is a problem for future work. 2015/5/17OPLab, NTUIM 7

2015/5/17OPLab, NTUIM 8 Probabilistic Packet Marking and Traceback (con’t) A C B D E F G

2015/5/17OPLab, NTUIM 9 Probabilistic Packet Marking and Traceback (con’t) packets Packet marked by Attacker Packets marked by a router Attack packets Marked by a router Attack packets A C B D E F G

A C B D E F G 2015/5/17OPLab, NTUIM 10 Probabilistic Packet Marking and Traceback (con’t) packets Packet marked by Attacker Packets marked by a router Attack packets Marked by a router Attack packets

Probabilistic Packet Marking and Traceback (con’t) A packet x is assumed to have a marking field where the identity of a (v, v’) ∊ E traversed can be inscribed. A packet travels on the attack path A sequentially. At a hop v i ∊ {v 1, …, v d }, packet x is marked with the edge value (v i-1, v i ), i=1, 2,…, d., with probability p (0 ≤ p ≤ 1) where v 0 = s. This is probabilistic marking. 2015/5/17OPLab, NTUIM 11

A C B D E F G 2015/5/17OPLab, NTUIM 12 Probabilistic Packet Marking and Traceback (con’t) packets Packet marked by Attacker Packets marked by a router Attack packets Marked by a router Attack packets

A C B D E F G 2015/5/17OPLab, NTUIM 13 Probabilistic Packet Marking and Traceback (con’t) packets Packet marked by Attacker Packets marked by a router Attack packets Marked by a router Attack packets

2015/5/17OPLab, NTUIM 14 Path Sampling α i (p) = p(1-p) d-i (1) α 0 (p) = (1-p) d ( attacker can hide his identity or fool defender ) (2) When N packets are transmitted, the expected value of packets reaching target t marked by r i is n i (p) = Nα i (p) Note that α 1 (p) ≦ α 2 (p) ≦ …… ≦ α d (p)

2015/5/17OPLab, NTUIM 15 Path Sampling (con’t) To receive a marked packet form v 1 requires N ≧ 1/α 1 (p) Because N is under attacker’s control from purely sampling view point, edge(s, v 1 ) is the weakest link.

A C B D E F G 2015/5/17OPLab, NTUIM 16 Probabilistic Packet Marking and Traceback (con’t) packets Packet marked by Attacker Packets marked by a router Attack packets Marked by a router Attack packets

A C B D E F G 2015/5/17OPLab, NTUIM 17 Probabilistic Packet Marking and Traceback (con’t) packets Packet marked by Attacker Packets marked by a router Attack packets Marked by a router Attack packets

A C B D E F G 2015/5/17OPLab, NTUIM 18 Probabilistic Packet Marking and Traceback (con’t) packets Packet marked by Attacker Packets marked by a router Attack packets Marked by a router Attack packets ???

2015/5/17OPLab, NTUIM 19 Path Sampling (con’t) which has the solution p ≦ ½. In general, we may consider p ≦ /d, d = 10 then p ≦ 0.067

Path Sampling (con’t) The optimal selection of N, d, and x 0 by the attacker, and correspondingly optimal selection of p by the victim to achieve their individual, conflicting objectives lies at the heart of the probabilistic PPM approach to source identification. 2015/5/17OPLab, NTUIM 20

2015/5/17OPLab, NTUIM 21 Traceback Problem (con’t) Marking spoofed variable x 0 can be fixed by following thereotic argument Let n s i (p) be the number of spoofed packets arriving at t marked by(u i,v 1 ) n o (p) = Σ m i=1 n s i (p). If it holds that then all m+1 paths are equally likely yielding the same outcome in terms of collected marking values at t

2015/5/17OPLab, NTUIM 22 Traceback Problem (con’t) We call m – a function of p and spoofing variable x 0 - the uncertainty factor with respect to marking probability p. The larger m is, the more the processing cost incurred by the victim to trace back the attack source.

Traceback Problem (con’t) Thus, the objective of the attacker is to maximize m, whereas the objective of the victim is to minimize m 2015/5/17OPLab, NTUIM 23

2015/5/17OPLab, NTUIM 24 Traceback Problem (con’t) The formulation in (III.5) does not incorporate the attack volume N and thus unduly favors the victim. A sampling constraint is added by requiring Nα 1 (p) = N p(1-p) d-1 ≧ 1 (III.6)

2015/5/17OPLab, NTUIM 25 Traceback Problem (con’t) Thus the refined minimax optimization reflecting the victim’s sampling constraint is given by Nα 1 (p) = N p(1-p) d-1 ≧ 1 as a function of p has a unimodal (or bell) shape with peak at p = 1/d

ANALYSIS OF SINGLE-SOURCE DOS ATTACK 2015/5/17OPLab, NTUIM 26

ANALYSIS OF SINGLE-SOURCE DOS ATTACK And IV.1 can be derandomized - replaced by a deterministic procedure that emulates uniform generation. 2015/5/17OPLab, NTUIM 27 n o (p) = Σ m i=1 n s i (p).

ANALYSIS OF SINGLE-SOURCE DOS ATTACK (con’t) Given p (determined by the victim), the attacker can achieve m = 1/p /5/17OPLab, NTUIM 28

ANALYSIS OF SINGLE-SOURCE DOS ATTACK (con’t) With constraint III.6 we can define and it can be checked that when d ≧ 2, L is convex in p 2015/5/17OPLab, NTUIM 29

ANALYSIS OF SINGLE-SOURCE DOS ATTACK (con’t) It can be viewed as minimization problems of the objective function 1/p -1 over L N for N= N 0, N 0 +1,…… The next result gives a performance bound on the attacker’s ability to hide his identity under PPM. 2015/5/17OPLab, NTUIM 30

ANALYSIS OF SINGLE-SOURCE DOS ATTACK (con’t) Theorem 2 shows that the maximum achievable uncertainty factor cannot exceed d-1, the distance between the attacker and victim. And on the internet, most path lengths are bounded by 25 [29] [29] Wolfgang Theilmann and Kurt Rothermel, “Dynamic distance maps of the Internet,” in Proc. of IEEE INFOCOM 2000, Mar /5/17OPLab, NTUIM 31

ANALYSIS OF SINGLE-SOURCE DOS ATTACK (con’t) d = 10, N = 26 Thus the attacker, by judiciously choosing the attack volume, can maximally hide his identity given by d /5/17OPLab, NTUIM 32

Approximation of Uncertainty Factor Np(1-p) d-1 ≥ 1, The equation, Np(1-p) d-1 = 1, is transformed to the polynomial x n – x n-1 + c by substitution of p, N, d with 1-x, 1/c, n, respectively. We divide Np(1-p) d-1 = 1 by N, and represent p as 1-x (0 ≤ x ≤ 1), thus, it becomes 2015/5/17OPLab, NTUIM 33

Approximation of Uncertainty Factor (con’t) Assuming N ≫ 1, thus, 1/N ≈ 0. First consider x d-1 close to 1, left hand side becomes (1-1/N) d-1 ->1, as N -> ∞. Next, When(1-1/N) d-1 -> 0, the approximate solution x = 1/N 1/d /5/17OPLab, NTUIM 34

Approximation of Uncertainty Factor (con’t) Thus x is approximately 1-(1/N) or 1/N 1/d-1. Therefore, 2015/5/17OPLab, NTUIM 35

Approximation of Uncertainty Factor (con’t) The maximum uncertainty value m of the min-max optimization problem is given by N = 10 5,d = 25 then m is ; N = 10 7,d = 25 then m is /5/17OPLab, NTUIM 36

Marking Probability 2015/5/17OPLab, NTUIM 37

Marking Probability (con’t) 2015/5/17OPLab, NTUIM 38

Marking Probability (con’t) d ∝ 1/p m ∝ 1/p Given N, as distance d ↓, the expected number of spoofed packets, N s ↑, at any given value of p When the source of an attack is far from the victim, the attacker becomes more potent at impeding traceback 2015/5/17OPLab, NTUIM 39

Attack Distance 2015/5/17OPLab, NTUIM 40

Attack Distance (con’t) Since the distance between an attacker and victim is bounded on the Internet, an attacker has limited ability to hide his location when subject to probabilistic packet marking. 2015/5/17OPLab, NTUIM 41

Attack Volume To satisfy sampling constrain, N needs to be at least d d /(d-1) d-1 As N increases, the victim can reduce the forgeable paths to less than d /5/17OPLab, NTUIM 42

V. DDoS Attack 2015/5/17OPLab, NTUIM 43

DDoS Attack Following the uncertainty optimization framework, given a desired attack Volume N, an amplification factor of M can be trivially achieved by mounting N/M -volume attacks from M separate attack sites. 2015/5/17OPLab, NTUIM 44

DDoS Attack (con’t) m*( ∙ ) is a function depicting the optimum (i.e., minimax) uncertainty factor for the traffic volume given in the argument. 2015/5/17OPLab, NTUIM 45

DDoS Attack Model – Classification Any-source traceback, the attacker is assumed to be vulnerable to further traceback once a compromised attack host is identified. Thus the attacker seeks to fortify the weakest link—i.e., maximize the uncertainty factor of each individual attack host—whereas the victim tries to find a weak attack host. 2015/5/17OPLab, NTUIM 46

DDoS Attack Model - Classification(con’t) All-source traceback, we assume the attacker is able to mount stateless intrusions when gathering attack hosts, and thus his objective is to maximize total uncertainty (vs. individual uncertainty in the any-source traceback case) since quick traceback of individual attack hosts does not present a danger with respect to revealing traceback information /5/17OPLab, NTUIM 47

DDoS Attack Model – Classification (con’t) The attacker’s objective is to maximize the number of forged paths that the victim has to process. And the victim’s goal is to isolate or shut down traffic flow emanating from comprised hosts. 2015/5/17OPLab, NTUIM 48

DDoS Attack Model - Traceback Analysis Given M distinct sources, each sources s i sends N i packets to victim v at d i distant for 1 ≤ i ≤ M An attack path is represented by A i = (s i, v i,1, v i,2, …v i,d, t). Without loss of generality, assume d i ≤ d j, for i ＜ j 2015/5/17OPLab, NTUIM 49

DDoS Attack Model - Traceback Analysis (con’t) Thus the expected number of spoofed packets from s i is for 1 ≤ i ≤ M The expected number of packets marked by v i,1 is 2015/5/17OPLab, NTUIM 50

DDoS Attack Model - Traceback Analysis (con’t) An attack host N Si may use to increase its uncertainty factor m i or it may use its forged packets to help amplify the uncertainty factor m j of some other attack host j ≠ i 2015/5/17OPLab, NTUIM 51

DDoS Attack Model - Traceback Analysis (con’t) Thus, the any-source traceback case reduces to the single-source traceback problem. 2015/5/17OPLab, NTUIM 52

DDoS Attack Model - Traceback Analysis (con’t) 2015/5/17OPLab, NTUIM 53

Numerical Evaluation of Traceback Let N i = N/M, d i = d, 1 ≤ i ≤ M, which facilitates comparability. m*( N i ) be the uncertainty factor achievable by N i m*( N/M ) /m*( N ) represents the expansion rate to uncertainty factor with respect to the distribution factor M 2015/5/17OPLab, NTUIM 54

Numerical Evaluation of Traceback (con’t) 2015/5/17OPLab, NTUIM 55

Conclusion PPM has the advantages of efficiency and implementability over DPM, however, it has the potential drawback that an attacker may impede traceback by sending packets with spoofed marking field values as well as spoofed source IP addresses. 2015/5/17OPLab, NTUIM 56

Conclusion (con’t) While it is always possible for an attacker to impede exact traceback by the victim, the attacker’s ability to affect uncertainty is limited in internetworks with bounded diameters 2015/5/17OPLab, NTUIM 57

考量到 OD pair 的長度 d ，將簡短介紹下 一篇 Dynamic PPM scheme 2015/5/17OPLab, NTUIM 58

Efficient Dynamic Probabilistic packet marking for IP traceback Networks, ICON2003. The 11th IEEE International Conference on 2015/5/17OPLab, NTUIM 59

Agenda Introduction Preliminaries Dynamic Probabilistic Packet Marking Performance Analysis Concluding remarks 2015/5/17OPLab, NTUIM 60

Introduction It had been shown that PPM suffers from uncertainty under attack with spoofed packets During DDoS attack, the uncertainty factor might be amplified significantly, which may diminish the effectiveness of PPM 2015/5/17OPLab, NTUIM 61

Introduction (con’t) To improve the effectiveness of PPM, this paper proposed a new scheme DPPM. Instead of a fixed marking probability, DPPM choose marking probability as an inverse function of the length of an OD pair by TTL field 2015/5/17OPLab, NTUIM 62

Preliminaries – Issues in Choosing Probability Consider an attack path A = (a, r 1, r 2, …, r D, v) where a and v denote the attacker and victim of a DOS incident, D + 1 is the distance between them, and r i (i = 1, 2,..., D) denote D routers in the attack path. 2015/5/17OPLab, NTUIM 63

Preliminaries – Issues in Choosing Probability (con’t ) Let p i represent the marking probability of router r i. Define leftover probability for router r i, denoted by a i, a i = p i x π D j = i+1 (1 - p j ) (1). Because in PPM, p is fixed, thus a i = p(1 - p) d-i, (2) Therefore, the leftover probability is geometrically smaller the closer it is to the attacker. 2015/5/17OPLab, NTUIM 64

Preliminaries – Issues in Choosing Probability (con’t) Let N denote the total number of attacking packets (attack volume) from an attacker to a victim. 2015/5/17OPLab, NTUIM 65

Preliminaries – Issues in Choosing Probability (con’t) The probability that a packet reaching the victim without any marking is a 0 = (1 - p) D Attackers may spoof the marking field with false value in order to hide themselves or the attack path. If a packet is not marked by any router along the path, the spoofed packet may result in false information during the path reconstruction 2015/5/17OPLab, NTUIM 66

Preliminaries – Issues in Choosing Probability (con’t) 2015/5/17OPLab, NTUIM 67

Preliminaries – Issues in Choosing Probability (con’t) 2015/5/17OPLab, NTUIM 68

DPPM To have an uniform leftover probability for all routers. To removed the uncertainty factor, introduced by spoofed packets, completely if every packet got a legitimate marking along the path. 2015/5/17OPLab, NTUIM 69

DPPM (con’t) 2015/5/17OPLab, NTUIM 70

DPPM (con’t) Eq. 3 shows that each router along the attack path has the same probability to leave its information in the marking field. In other words, the victim has an equal probability to obtain each router's information along the path despite their distance from the victim. 2015/5/17OPLab, NTUIM 71

DPPM (con’t) routers 2015/5/17OPLab, NTUIM 72

DPPM (con’t) 2015/5/17OPLab, NTUIM 73

Challenge on spoofed TTL value 2015/5/17OPLab, NTUIM 74

Challenge on spoofed TTL value 2015/5/17OPLab, NTUIM 75

Challenge on spoofed TTL value (con’t) Attacker may use TTL = 129, and then DPPM would choose p as 1/126(= ). And attacker can get away without any trace. 2015/5/17OPLab, NTUIM 76

Challenge on spoofed TTL value (con’t) 2015/5/17OPLab, NTUIM 77

Challenge on spoofed TTL value (con’t) 2015/5/17OPLab, NTUIM 78

Summary Path length d i, marking probability p, spoofing packet rate p s, attack volume N, spoofed packets N s, uncertainty factor m d i ↑ m iMAX ↑ ; p s ↑ m↑ ; p↑ m ↓; N↓ m ↑; 2015/5/17OPLab, NTUIM 79

Summary (con’t) 在這篇 PAPER 當中所參考的 PPM 是一 個 FRAMEWORK, 一條 path 上的每個 router 只要標注一個以上的封包就可以 完成一條 attack path reconstruction 在 IEEE/ACM TRANSACTIONS PN NETWORKING VOL16 Feb/2008 提 出了一個適用 DDoS 的 PPM SCHEME 2015/5/17OPLab, NTUIM 80

Summary (con‘t) 為了提升 PPM 的安全性，此篇 PAPER 提出 message fragmentation ，將標注 資訊切分成數個資料段，每個 router 每 次標注時只隨機注入一個資料段。因此 victim 需要收集更多的 packets 才能將資 料段重組成回溯資訊、重建攻擊路徑， 找出最適當的 router 並開啟 filter 。 在不同的 PPM 架構下， m=1/p -1 可能 需要微調參數。 2015/5/17OPLab, NTUIM 81

Summary (con’t) Attacker 增加 defender 要處理的攻擊路徑 Spoof marking field 誤導 defender 攻擊 來源消耗防禦資源 Defender 收集到足夠的路徑資訊之後找最適當的 router 開啟 filter ；如果有某條路徑沒有 filter 可以過濾攻擊封包，利用 routing strategy 將攻擊封包引導至最近的 filter 上過濾。 2015/5/17OPLab, NTUIM 82

Summary (con’t) 2015/5/17OPLab, NTUIM 83 政祐學長 My Work PPM Scheme and false positive rate XO Spoof packets may amplify error rate and may increase victim’s processing cost XO Rerouting OO Filter allocation 利用 LR 、次梯度法與 經驗法則找出 filter 最 佳配置最小化 collateral damage 使用 PPM traceback 技術同時 考慮誤判率、攻擊特性 (N, d, 拓樸架構 ) 、 spoofed information ，令 filter 的位置是 給定的並配合 LR 找出最佳的 ON －配置策略最小化 collateral damage

2015/5/17OPLab, NTUIM 84 Thanks for your listening